Are these mysql_real_escape_string usages same?

Question

Are they both same? Thanks.

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
$result = mysql_fetch_array(mysql_query("SELECT * FROM accounts WHERE id='$user'"));

vs

$user = $_POST['user'];
$result = mysql_fetch_array(mysql_query(sprintf("SELECT * FROM accounts WHERE id='%s'",mysql_real_escape_string($user))));

Answer 1

Yes, that is equivalent.

You can verify it like this:

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
echo "SELECT * FROM accounts WHERE id='$user'";

-vs-

$user = $_POST['user'];
echo sprintf("SELECT * FROM accounts WHERE id='%s'", mysql_real_escape_string($user));

Answer 2

Yes, they are the same

http://php.net/manual/en/function.sprintf.php

Answer 3

Yes they're equivalent. Usually though, you will use sprintf to make the code easier to read, and the query easier to modify:

$user = $_POST['user'];
$sql = sprintf("SELECT * FROM accounts WHERE id='%s'", 
    mysql_real_escape_string($user)
);
$result = mysql_fetch_array(mysql_query($sql));